RedCurl, a cyber threat group active since 2018 and known for stealthy corporate espionage, has now shifted its approach by deploying ransomware targeting Hyper-V virtual machines.
Initially identified by Group-IB, RedCurl primarily targeted corporate organizations globally, later expanding its reach. However, as reported by Bitdefender Labs, the group has now incorporated ransomware into its operations.
“We’ve seen RedCurl stick to their usual playbook in most cases, continuing with data exfiltration over longer periods of time,” states the Bitdefender report. “However, one case stood out. They broke their routine and deployed ransomware for the first time.”
With businesses increasingly adopting virtualized infrastructure, ransomware groups are adapting by designing encryptors for these environments. While most ransomware variants target VMware ESXi servers, RedCurl’s latest tool, QWCrypt, focuses specifically on Hyper-V.
Bitdefender’s analysis reveals that RedCurl initiates attacks through phishing emails containing .IMG attachments disguised as CVs. When opened, these disk image files auto-mount in Windows, executing a malicious screensaver file. This technique exploits DLL sideloading via a legitimate Adobe executable, enabling persistence through scheduled tasks.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: